1. Department of Computer Science and Information Technology, University of Malaya, Kuala Lumpur 50603, Malaysia 2. Department of Computer Science, Universiti Tunku Abdul Rahman (Jalan Universiti), Kampar 31900, Malaysia
In this paper, a new scheme that uses digraph substitution rules to conceal the mechanism or activity required to derive password-images is proposed. In the proposed method, a user is only required to click on one of the pass-image instead of both pass-images shown in each challenge set for three consecutive sets.While this activity is simple enough to reduce login time, the images clicked appear to be random and can only be obtained with complete knowledge of the registered password along with the activity rules. Thus, it becomes impossible for shoulder-surfing attackers to obtain the information about which password images and pass-images are used by the user. Although the attackers may know about the digraph substitution rules used in the proposed method, the scenario information used in each challenge set remains. User study results reveal an average login process of less than half a minute. In addition, the proposed method is resistant to shoulder-surfing attacks.
Jiang P, Wen Q Y, Li W M, Jin Z P, Zhang H. An anonymous and efficient remote biometrics user authentication scheme in a multi server environment. Frontiers of Computer Science, 2015, 9(1): 142–156 https://doi.org/10.1007/s11704-014-3125-7
2
Sasse M A, Brostoff S, Weirich D. Transforming the “weakest link”: a human-computer interaction approach for usable and effective security. BT Technology Journal, 2001, 19(3): 122–131 https://doi.org/10.1023/A:1011902718709
3
Herley C, Oorschot P C, Patrick A S. Passwords: if we’re so smart, why are we still using them?. In: Proceedings of the 13th International Conference on Financial Cryptography and Data Security. 2009, 23–26 https://doi.org/10.1007/978-3-642-03549-4_14
De-Angeli A, Coventry L, Johnson G, Renaud K. Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. International Journal of Human-Computer Studies, 2005, 63(1): 128–152 https://doi.org/10.1016/j.ijhcs.2005.04.020
6
Forget A, Chiasson S, Biddle R. Shoulder-surfing resistance with eyegaze entry in cued-recall graphical passwords. In: Proceedings of the 28th Annual CHI Conference on Human Factors in Computing Systems. 2010, 1107–1110
7
Biddle R, Chiasson S, Van Oorschot P. Graphical passwords: learning from the first twelve years. Journal of ACM Computing Surveys (CSUR), 2012, 44(4): 19–41 https://doi.org/10.1145/2333112.2333114
8
Davis D, Monrose F, Reiter M. On user choice in graphical password schemes. In: Proceedings of the 13th USENIX Security Symposium. 2004, 151–164
9
Por L Y, Lim X T. Issues, threats and future trend for GSP. In: Proceedings of the 7thWSEAS International Conference on Applied Computer & Applied Computational Science. 2008, 627–633
10
Por L Y, Lim X T. Multi-grid background Pass-Go. WSEAS Transactions on Information Science & Applications, 2008, 5(7): 1137–1148
11
Wiedenbeck S,Waters J, Sobrado L, Birget J. Design and evaluation of a shoulder-surfing resistant graphical password scheme. In: Proceedings of the Working Conference on Advanced Visual Interfaces. 2006, 177–184 https://doi.org/10.1145/1133265.1133303
12
Gao H C, Liu X Y, Wang S D, Liu H G, Dai R Y. Design and analysis of a graphical password scheme. In: Proceedings of the 4th International Conference on Innovative Computing, Information and Control. 2009, 675–678 https://doi.org/10.1109/ICICIC.2009.158
13
Por L Y. Frequency of occurrence analysis attack and its countermeasure. The International Arab Journal of Information Technology, 2013, 10(2): 189–197
14
Manjunath G, Satheesh K, Saranyadevi C, Nithya M. Text-based shoulder surfing resistant graphical password scheme. International Journal of Computer Science and Information Technologies, 2014, 5(2): 2277–2280
15
Shaikh J, Pawar C C, Jadhav V S, Sindhu M R. User authentication using graphical system. Progress in Science and Engineering Research Journal, 2015, 17(3): 56–61
16
Gao H C, Wei J, Ye F, Ma L C. A survey on the use of graphical passwords in security. Journal of Software, 2013, 8(7): 1678–1698 https://doi.org/10.4304/jsw.8.7.1678-1698
17
Sobrado L, Birget J C. Graphical passwords. The Ruthgers Scholar, 2002, 4
18
Ion I, Reeder R, Consolvo S. “⋯no one can hack my mind”: comparing expert and non-expert security practices. In: Proceedings of Symposium on Usable Privacy and Security (SOUPS). 2015, 327–346
19
Gao S, Ma W P, Zhuo Z P, Wang F H. On cross-correlation indicators of an S-box. Frontiers of Computer Science in China, 2011, 5(4): 448–453 https://doi.org/10.1007/s11704-011-0177-9
20
Por L Y, Kiah M L M. Shoulder surfing resistance using penup event and neighbouring connectivity manipulation. Malaysian Journal of Computer Science, 2010, 23(2): 121–140
21
Por L Y, Delina B. Information hiding: a new approach in text steganography. In: Proceedings of the 7th WSEAS International Conference on Applied Computer and Applied Computational Science. 2008, 689–695
22
Por L Y, Delina B, Ang T F, Ong S Y. An enchanced mechanism for image steganography using sequential colour cycle algorithm. The International Arab Journal of Information Technology, 2013, 10(1): 51–60
23
Por L Y, Lai W K, Alireza Z, Delina B. StegCure: an amalgamation of different steganographic methods in GIF image. In: Proceedings of the 12th WSEAS International Conference on Computers. 2008, 420–425
24
Por L Y, Wong K, Chee K O. UniSpaCh: a text-based data hiding method using Unicode space characters. Journal of Systems and Software, 2012, 85(5): 1075–1082 https://doi.org/10.1016/j.jss.2011.12.023
25
Feng D, Wu C. Advances in cryptography and information security — introduction of 2002–2006 progress of SKLOIS. Frontiers of Computer Science in China, 2007, 1(4): 385–396 https://doi.org/10.1007/s11704-007-0037-9
